LITE-31768 LITE-31797 Initial implementation

maxipavlovic · maxipavlovic · commit 811505437ba1 · 2025-02-10T00:09:07.000+01:00
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,11 @@
+FROM kong:latest
+
+ADD . /opt/kong-to-waf
+
+USER root
+
+RUN cd /opt/kong-to-waf && \
+    luarocks build && \
+    cd && rm -rf /opt/kong-to-waf
+
+USER kong
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,53 @@
+volumes:
+  kong_data: {}
+
+networks:
+  kong-net:
+    external: false
+
+services:
+  kong:
+    container_name: kong-test
+    build: .
+    user: 'root'
+    platform: linux/amd64
+    environment:
+      KONG_DECLARATIVE_CONFIG: /opt/conf/kong.yml
+      KONG_ADMIN_ACCESS_LOG: /dev/stdout
+      KONG_ADMIN_ERROR_LOG: /dev/stderr
+      KONG_ADMIN_LISTEN: '0.0.0.0:8001'
+      KONG_DATABASE: 'off'
+      KONG_PROXY_ACCESS_LOG: /dev/stdout
+      KONG_PROXY_ERROR_LOG: /dev/stderr
+      KONG_PLUGINS: kong-to-waf
+    networks:
+      - kong-net
+    ports:
+      - "8000:8000/tcp"
+      - "127.0.0.1:8001:8001/tcp"
+      - "8443:8443/tcp"
+      - "127.0.0.1:8444:8444/tcp"
+    healthcheck:
+      test: ["CMD", "kong", "health"]
+      interval: 10s
+      timeout: 10s
+      retries: 10
+    restart: on-failure
+    depends_on:
+      - waf
+    volumes:
+      - .:/opt/conf/
+    command: sh /opt/conf/run.sh
+
+  waf:
+    container_name: waf-mock
+    build:
+      context: ./tests/integration
+      dockerfile: waf-mock.Dockerfile
+    networks:
+      - kong-net
+    expose:
+      - "80"
+    volumes:
+      - ./tests/integration:/app
+    command: uvicorn waf-mock:app --port=80 --host=0.0.0.0 --reload
diff --git a/kong-to-waf-1.0.0-1.rockspec b/kong-to-waf-1.0.0-1.rockspec
@@ -0,0 +1,28 @@
+package = "kong-to-waf"
+
+version = "1.0.0-1"
+
+supported_platforms = {"linux", "macosx"}
+
+source = {
+  url = "git://github.com/cloudblue/kong-to-waf",
+  tag = "1.0.0"
+}
+
+description = {
+  summary = "Kong Gateway plugin for WAF offloading",
+  license = "Apache License, Version 2.0",
+  maintainer = "CloudBlue Connect <together@cloudblue.com>"
+}
+
+dependencies = {
+}
+
+build = {
+  type = "builtin",
+  modules = {
+    ["kong.plugins.kong-to-waf.access"] = "src/access.lua",
+    ["kong.plugins.kong-to-waf.handler"] = "src/handler.lua",
+    ["kong.plugins.kong-to-waf.schema"] = "src/schema.lua",
+  }
+}
diff --git a/kong.yml b/kong.yml
@@ -0,0 +1,13 @@
+_format_version: "1.1"
+
+services:
+- name: upstream
+  url: https://example.com
+  plugins:
+  - name: kong-to-waf
+    config:
+      waf_host: waf-mock
+  routes:
+  - name: route
+    paths:
+    - /
diff --git a/run.sh b/run.sh
@@ -0,0 +1,3 @@
+cd /opt/conf/
+luarocks make --local
+kong start
diff --git a/src/access.lua b/src/access.lua
@@ -0,0 +1,65 @@
+local http = require "resty.http"
+
+local _M = {}
+
+local function get_path()
+    if kong.request.get_raw_path ~= nil then
+        return kong.request.get_raw_path()
+    else
+        return kong.request.get_path()
+    end
+end
+
+local function call_waf(config)
+    local ok, err
+    local host = config.waf_host
+    local port = tonumber(config.waf_port)
+    local path = config.waf_uri or ""
+
+    local httpc = http.new()
+    httpc:set_timeout(config.waf_timeout)
+    ok, err = httpc:connect(host, port, {pool_size = config.waf_conn_pool_size})
+    if not ok then
+        kong.log.err('Failed to connect to WAF service')
+        return
+    end
+
+    local headers = kong.request.get_headers()
+    headers['X-Forwarded-Host'] = kong.request.get_host()
+    headers['X-Forwarded-Method'] = kong.request.get_method()
+    headers['X-Forwarded-Path'] = get_path()
+    headers['X-Forwarded-For'] = kong.client.get_forwarded_ip()
+
+    local res
+    res, err = httpc:request({
+        method = config.waf_method,
+        path = path .. kong.request.get_path_with_query(),
+        headers = headers
+    })
+
+    if not res then
+        kong.log.err('Failed to get response from WAF service')
+        return
+    end
+
+    res:read_body()
+    httpc:set_keepalive(config.waf_keepalive)
+
+    if res.status >= 400 then
+        kong.log.warn('WAF service responded with ' .. tostring(res.status) .. ': ' .. path)
+        if config.mode == 'full' then
+            return kong.response.exit(403)
+        end
+    end
+end
+
+function _M.execute(config)
+    local mode = config.mode
+    if mode == 'disabled' then
+        return
+    end
+
+    call_waf(config)
+end
+
+return _M
diff --git a/src/handler.lua b/src/handler.lua
@@ -0,0 +1,13 @@
+local access = require "kong.plugins.kong-to-waf.access"
+
+
+local KongToWAF = {
+    VERSION = "1.0.0",
+    PRIORITY = 1090
+}
+
+function KongToWAF:access(config)
+    access.execute(config)
+end
+
+return KongToWAF
diff --git a/src/schema.lua b/src/schema.lua
@@ -0,0 +1,25 @@
+local typedefs = require "kong.db.schema.typedefs"
+
+return {
+    name = "kong-to-waf",
+    fields = {
+        { consumer = typedefs.no_consumer },
+        { config = {
+            type = "record",
+            fields = {
+                { mode = { type = "string", default = "full", one_of = { "disabled", "only-log", "full" } } },
+                { waf_method = { type = "string", default = "GET", one_of = { "GET" } } },
+                { waf_proto = { type = "string", default = "http", one_of = { "http" } } },
+                -- TODO: Add support for https
+                { waf_host = { type = "string", default = "localhost" } },
+                { waf_port = { type = "number", default = 80 } },
+                { waf_uri = { type = "string", required = false } },
+                { waf_timeout = { type = "number", default = 10000 } },
+                { waf_keepalive = { type = "number", default = 60000 } },
+                { waf_conn_pool_size = { type = "number", default = 6 } },
+                -- TODO: Add track ID
+            },
+        },
+      },
+    },
+}
diff --git a/tests/integration/waf-mock-reqs.txt b/tests/integration/waf-mock-reqs.txt
@@ -0,0 +1,2 @@
+fastapi
+uvicorn
diff --git a/tests/integration/waf-mock.Dockerfile b/tests/integration/waf-mock.Dockerfile
@@ -0,0 +1,7 @@
+FROM python:latest
+
+COPY waf-mock-reqs.txt r.txt
+RUN pip install -r r.txt
+
+ADD . /app
+WORKDIR /app
diff --git a/tests/integration/waf-mock.py b/tests/integration/waf-mock.py
@@ -0,0 +1,22 @@
+from typing import Optional
+
+from fastapi import FastAPI, Request, Response, status
+
+
+app = FastAPI()
+
+
+@app.get('/{full_path:path}')
+async def mock(
+    request: Request,
+    response: Response,
+    full_path: Optional[str] = '',
+):
+    print(request.headers)
+
+    response.status_code = status.HTTP_200_OK
+
+    if '.exe' in full_path:
+        response.status_code = status.HTTP_403_FORBIDDEN
+
+    return response.status_code

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+cd /opt/conf/`
	`2`	`+luarocks make --local`
	`3`	`+kong start`